diff --git a/docs/nmap.usage.txt b/docs/nmap.usage.txt index 86b96c9fd..75eba3ffb 100644 --- a/docs/nmap.usage.txt +++ b/docs/nmap.usage.txt @@ -75,6 +75,8 @@ FIREWALL/IDS EVASION AND SPOOFING: -e : Use specified interface -g/--source-port : Use given port number --proxies : Relay connections through HTTP/SOCKS4 proxies + --data : Append a custom payload to sent packets + --data-string : Append a custom ASCII string to sent packets --data-length : Append random data to sent packets --ip-options : Send packets with specified ip options --ttl : Set IP time-to-live field diff --git a/nmap.cc b/nmap.cc index ed493e68f..74ec06bd0 100644 --- a/nmap.cc +++ b/nmap.cc @@ -302,6 +302,8 @@ static void printusage(int rc) { " -e : Use specified interface\n" " -g/--source-port : Use given port number\n" " --proxies : Relay connections through HTTP/SOCKS4 proxies\n" + " --data : Append a custom payload to sent packets\n" + " --data-string : Append a custom ASCII string to sent packets\n" " --data-length : Append random data to sent packets\n" " --ip-options : Send packets with specified ip options\n" " --ttl : Set IP time-to-live field\n" @@ -582,6 +584,9 @@ void parse_options(int argc, char **argv) { {"packet-trace", no_argument, 0, 0}, /* Display all packets sent/rcv */ {"version_trace", no_argument, 0, 0}, /* Display -sV related activity */ {"version-trace", no_argument, 0, 0}, /* Display -sV related activity */ + {"data", required_argument, 0, 0}, + {"data_string", required_argument, 0, 0}, + {"data-string", required_argument, 0, 0}, {"data_length", required_argument, 0, 0}, {"data-length", required_argument, 0, 0}, {"send_eth", no_argument, 0, 0}, @@ -819,7 +824,32 @@ void parse_options(int argc, char **argv) { } else if (optcmp(long_options[option_index].name, "version-trace") == 0) { o.setVersionTrace(true); o.debugging++; + } else if (optcmp(long_options[option_index].name, "data") == 0) { + if (o.extra_payload) + fatal("Can't use the --data option(s) multiple times, or together."); + u8 *tempbuff=NULL; + size_t len=0; + if( (tempbuff=parse_hex_string(optarg, &len))==NULL) + fatal("Invalid hex string specified"); + else { + o.extra_payload_length = len; + o.extra_payload = (char *) safe_malloc(o.extra_payload_length); + memcpy(o.extra_payload, tempbuff, len); + } + if (o.extra_payload_length > 1400) /* 1500 - IP with opts - TCP with opts. */ + error("WARNING: Payloads bigger than 1400 bytes may not be sent successfully."); + } else if (optcmp(long_options[option_index].name, "data-string") == 0) { + if (o.extra_payload) + fatal("Can't use the --data option(s) multiple times, or together."); + o.extra_payload_length = strlen(optarg); + if (o.extra_payload_length < 0 || o.extra_payload_length > MAX_PAYLOAD_ALLOWED) + fatal("string length must be between 0 and %d", MAX_PAYLOAD_ALLOWED); + if (o.extra_payload_length > 1400) /* 1500 - IP with opts - TCP with opts. */ + error("WARNING: Payloads bigger than 1400 bytes may not be sent successfully."); + o.extra_payload = strdup(optarg); } else if (optcmp(long_options[option_index].name, "data-length") == 0) { + if (o.extra_payload) + fatal("Can't use the --data option(s) multiple times, or together."); o.extra_payload_length = (int)strtol(optarg, NULL, 10); if (o.extra_payload_length < 0 || o.extra_payload_length > MAX_PAYLOAD_ALLOWED) fatal("data-length must be between 0 and %d", MAX_PAYLOAD_ALLOWED); diff --git a/todo/done.txt b/todo/done.txt index e9b049ea1..d61fbe7f6 100644 --- a/todo/done.txt +++ b/todo/done.txt @@ -1,5 +1,10 @@ DONE: +o Provide an option to send a comment in scan packet data for target + network. Examples: --data-string "Scan conducted by Marc Reis from + SecOps, extension 2147" or --data-string "pH33r my l3eT + s|<iLLz! I'll 0wN UR b0x!" + o We should probably update our included libpcap. We currently include version 1.2.1 (we upgraded to that in April 2012) while the latest version on tcpdump.org is 1.5.3. We make minor changes to diff --git a/todo/nmap.txt b/todo/nmap.txt index bf0af8054..83d9f2c4d 100644 --- a/todo/nmap.txt +++ b/todo/nmap.txt @@ -71,10 +71,6 @@ o GSOC 2014 student Jay will be looking at these items: topology view. http://seclists.org/nmap-dev/2012/q1/82 has a patch, however it doesn't handle the case of two or more consecutive timeouts. - o Provide an option to send a comment in scan packet data for target - network. Examples: --comment "Scan conducted by Marc Reis from - SecOps, extension 2147" or --comment "pH33r my l3eT - s|<iLLz! I'll 0wN UR b0x!" o Adopt an issue tracking system for Nmap and related tools. We should probably look at our needs and options and then decide on and diff --git a/utils.cc b/utils.cc index 4283fc50c..56a0c09b3 100644 --- a/utils.cc +++ b/utils.cc @@ -495,6 +495,77 @@ void bintohexstr(char *buf, int buflen, char *src, int srclen) { bp += Snprintf(buf + bp, buflen - bp, "\n"); } +/** Returns a buffer that contains the binary equivalent to the supplied + * hex spec or NULL in case of error. + * @warning Returned pointer points to a static buffer that subsequent calls + * will overwrite. */ +u8 *parse_hex_string(char *str, size_t *outlen) { + char auxbuff[4096]; + static u8 dst[16384]; + size_t dstlen=16384; + unsigned int i=0, j=0; + char *start=NULL; + + if(str==NULL || outlen==NULL) + return NULL; + /* This catches the empty string possibility "" */ + if(strlen(str) == 0) + return NULL; + else + memset(auxbuff,0,4096); + + /* String should be treated as a hex number in this format: 0xAABBCCDDEE... + * We process it the way it is specified, we don't perform byte order + * conversions so if the users says 0x00AA we write dst[0]=0x00, dst[1]==0xAA + * no matter the endianness of the host system. */ + if( !strncmp("0x", str, 2) ) { + /* This catches the case of an empty "0x" */ + if(strlen(str) == 2) + return NULL; + start=str+2; + } + /* String should be treated as list of hex char in this format: \x00\xFF\x0A*/ + else if( !strncmp("\\x", str, 2) ) { + /* This catches the case of an empty "\x" */ + if(strlen(str) == 2) + return NULL; + /* Copy all interesting bytes to an aux array, discard "\x" */ + for(i=0; i